[Discuss] Passwords in Source Code?? Or, How to secure interprocess communications?
Edward Ned Harvey (blu)
blu at nedharvey.com
Sat Jan 31 18:03:37 EST 2015
> From: Discuss [mailto:discuss-bounces+blu=nedharvey.com at blu.org] On
> Behalf Of Kent Borg
>
> My program already has to hope that its program files are secured by the
> hosting OS, but at least if it isn't opening up a network port it stays
> a rather contained problem.
Depends on a lot of stuff. What language? Running on a system you own, or deployed to someone else, etc?
Normally, passwords that your app needs in order to connect to some other thing should be stored in a config file. Ideally, it should be an OS-encrypted store, for example in C# I would use ProtectedData. This encrypts the file on disk using a complex set of login stuff to derive a key specific to the logged in user - or in mono, the mono MRE generates random keys and stores them in a protected subdir in the users' home dir, so once again it's protected to the logged in user.
More information about the Discuss
mailing list